The Psychology of Social Engineering
Social engineering is one of the greatest threats to cyber security in our everyday lives. Whether that be at the business level or simply just the individual level it is clear that we are facing an ever growing threat. The best way to fight social engineering is to understand not just what it is, but the psychology behind it.
First off, what is social engineering?
Simply put social engineering is "the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes". The key words in this definition are "manipulate individuals" which means that social engineering isn't always a simple malware link you can accidently click. There will always be a human aspect to it that criminals are trying to exploit. They make it personal and real. And after years of experience they're good at what they do. Additionally, it is important to note that social engineering isn't just limited to the cybersecurity realm. Whether you realize it or not you are being engineered everyday through billboards, commercials and all types of media.
Examples of Social engineering include:
- phishing/spear phishing attacks
- social media impersonation
- Business email impersonation
- Spam calls
The Art of Persuasion
The centerpiece of social engineering is manipulation and persuasion. Sadly people often don't realize that persuasion is an art in and of itself. There are a lot of factors that go into persuading someone into making a desired decision.
Most of the time we only have a limited amount of time to make a decision. Sometimes we are only given seconds to make a critical decision. Because of this our brain relies of psychological "shortcuts" that help us process information and make fast choices. This isn't always a bad thing. It's just how our brain has evolved to handle life. However, social engineers know these short cuts and are masters at manipulating them.
Biggest Shortcuts
Here are some of the biggest shortcuts and reasons we make the decisions we do.
Reciprocity: If someone offers us a service or gift we feel obligated to give something in return.
Who hasn't felt this? Your friend gets you a really nice birthday gift so for their birthday you desire to give them something just as special. This is usually harmless and just a apart of human nature but cybercriminals know how to work this shortcut. An example of this was earlier in 2020 when quite a few political figures like Barack Obama or CEO's such as Elon Musk's twitter were hacked and displayed the following message:
Faux Elon Musk here is offering to double any bitcoin payment made to him in the next hour. With such a generous offer like this you should feel obligated to send him some cash right? Well, a few hours later it was revealed that his twitter, as well as others, was hacked and that this amazing deal was in fact fake.
Scarcity: Humans act faster and make less logical decisions when something is in high demand or of scarce quantity.
When we receive an email claiming that a long lost relative left us $10,000 our brains light up because who doesn't want more money? And you're telling me all I have to do is send you my bank account info and I can get it today? Deal! Social engineers are skilled at manipulating something people desire more of. It's how they maintain their business.
Authority: We are more likely to be persuaded by someone in a perceived position of power.
If someone claims to have some sort of authority we are much more likely to give them what they want. This is where we see a lot of business email compromise. Cybercriminals will often target employees that perform fund transfers by posing as higher ups or executives in the company. Because these emails seem to come from someone of authority, employees are much more likely to not give the request a second look.
Social engineering is a real threat. It doesn't matter if you realize it or not, but you are being persuaded everyday towards making a decision. The hope now is that the next time you come across a shady offer you think longer about the potential implications. Keep and eye out especially during this holiday season and make sure you're secure!
Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.
Don't Gamble With Your Security